Computer virus generation detection apparatus and method

ABSTRACT

An apparatus includes a server connected between a first computer network in which a computer virus may generate and a second computer network or a computer system as an object of security protection. In the apparatus, a collection unit collects irregular data representing a possibility of generation of the computer virus that may attack the server. A decision unit decides whether the computer virus is being generated on the computer network in accordance with the irregular data. A notification unit notifies the second computer network or the computer system of generation of the computer virus when the decision unit decides that the computer virus is being generated.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is based upon and claims the benefit of priority fromthe prior Japanese Patent Application P2002-039087, filed on Feb. 15,2002; the entire contents of which are incorporated herein by reference.

FIELD OF THE INVENTION

The present invention relates to a computer virus generation detectionapparatus and a method for early prevention of damage by a computervirus in a computer network or a computer system as an object ofsecurity protection.

BACKGROUND OF THE INVENTION

Recently, attention has been focused on security techniques to protect acomputer system's hardware and software from a disaster, an accident, anunjust investigation, a destruction or a change by a computer virus.Especially, in proportion to the rapid spread of Internet or Intranet,security on a network is attached importance.

In the prior art, in order to protect against a mixture of computerviruses, a countermeasure using filtering software (for example, VirusBuster presented by TrendMicro Inc.) is mainly adopted. In thisfiltering software, countermeasure data called as “vaccine” detects thecomputer virus and deletes it.

Furthermore, as for the computer virus which attacks and damages asecurity hole of an operating system (for example, Windows® presented byMicrosoft Inc.), damage caused by the computer virus is prevented byapplying a modification program to stop up the security hole.

However, in the prior art, the countermeasure for the computer virus isexecuted after the computer virus is found and specified. Briefly, thecountermeasure is forestalled in every attempt for damage of new(unknown) computer virus. In other words, there is a time lagcorresponding to a period from the generation of the computer virus tothe countermeasure of the computer virus. Accordingly, the computervirus may rapidly spread in several hours before countermeasure data,such as the vaccine or the modification program, are distributed. As aresult, the computer system is greatly damaged in the several hours bythe computer virus.

SUMMARY OF THE INVENTION

It is an object of the present invention to provide a computer virusgeneration detection apparatus and a method for early prevention of thedamage by the computer virus in a computer network or a computer systemas an object of security protection.

According to the present invention, there is provided an apparatus fordetecting generation of a computer virus, comprising: a collection unitconfigured to collect irregular data representing a possibility ofgeneration of the computer virus on a computer network; and a decisionunit configured to decide whether the computer virus is generated on thecomputer network in accordance with the irregular data.

Further in accordance with the present invention, there is also providedan apparatus for detecting generation of a computer virus, saidapparatus including a server connected between a first computer networkin which the computer virus may generate and a second computer networkor a computer system as on object of security protection, said apparatuscomprising: a collection unit configured to collect irregular datarepresenting a possibility of generation of the computer virus that mayattack the server; a decision unit configured to decide whether thecomputer virus is being generated on the computer network in accordancewith the irregular data; and a notification unit configured to notifythe second computer network or the computer system of generation of thecomputer virus when said decision unit decides that the computer virusis being generated.

Further in accordance with the present invention, there is also provideda method for detecting generation of a computer virus, comprising:collecting irregular data representing a possibility of generation ofthe computer virus on a computer network; and deciding whether thecomputer virus is being generated on the computer network in accordancewith the irregular data.

Further in accordance with the present invention, there is also provideda method for detecting generation of a computer virus in a server, theserver being connected between a first computer network in which thecomputer virus may generate and a second computer network or a computersystem as an object of security protection, the method comprising:collecting irregular data representing a possibility of generation ofthe computer virus of which attack object is the server; decidingwhether the computer virus is being generated on the computer network inaccordance with the irregular data; and notifying the second computernetwork or the computer system of generation of the computer virus whenthe computer virus is being generated.

Further in accordance with the present invention, there is also provideda computer program product, comprising: a computer readable program codeembodied in said product for causing a computer to detect generation ofa computer virus on a computer network, said computer readable programcode having: a first program code to collect irregular data representinga possibility of generation of the computer virus on a computer network;and a second program code to decide whether the computer virus is beinggenerated on the computer network in accordance with the irregular data.

Further in accordance with the present invention, there is also provideda computer program product, comprising: a computer readable program codeembodied in said product for causing a computer to detect generation ofa computer virus in a server, the server being connected between a firstcomputer network in which the computer virus may generate and a secondcomputer network or a computer system as an object of securityprotection, said computer readable program code having: a first programcode to collect irregular data representing a possibility of generationof the computer virus that may attack the server; a second program codeto decide whether the computer virus is being generated on the computernetwork in accordance with the irregular data; and a third program codeto notify the second computer network or the computer system ofgeneration of the computer virus when the computer virus is beinggenerated.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of the computer virus generation detectionapparatus according to the first embodiment of the present invention.

FIG. 2 is a flow chart of processing of the computer virus generationdetection apparatus according to the first embodiment of the presentinvention.

FIG. 3 is a flow chart of decision of generation of the computer virusbased on error quantity measurement according to the first embodiment ofthe present invention.

FIG. 4 is a schematic diagram of one example of an access log in thecase of usually accessing to a server.

FIG. 5 is a schematic diagram of one example of the access log in thecase of accessing to the server with a user's type miss.

FIG. 6 is a schematic diagram of one example of the access log in thecase of unusually accessing the server.

FIG. 7 is a schematic diagram of another example of the access log inthe case of unusually accessing the server.

FIG. 8 is a schematic diagram showing cut positions of a network in acomputer network system according to the first embodiment of the presentinvention.

FIG. 9 is a block diagram of the computer virus generation detectionapparatus according to the second embodiment of the present invention.

DETAILED DESCRIPTION OF THE INVENTION

Hereafter, various embodiments of the present invention will beexplained by referring to the drawings.

FIG. 1 is a block diagram showing the computer virus generationdetection apparatus according to the first embodiment of the presentinvention. As shown in FIG. 1, the computer virus generation detectionapparatus of the first embodiment is connected to an Internet 1.Furthermore, WWW server 5 is connected to the Internet 1 through afirewall 4, and a company Intranet 2 is connected to the Internet 1through a firewall 6. The firewalls 4 and 6, respectively, executefiltering for improper packet from a viewpoint of security protection.However, the firewalls 4 and 6 are not a necessary component for thepresent invention. Furthermore, as shown in FIG. 1, the WWW server 5 islocated outside of the company Intranet 2 through the firewall 6, i.e.,at the side of the Internet 1. The WWW server 5 prepares an access logmemory 8 for storing access record (log) to the WWW server 5, and anerror detection unit 7 for detecting error occurred for access to theWWW server 5 by referring to the log stored in the access log memory 8.

As a means for collecting irregular data representing a possibility ofgeneration of the computer virus in the Internet 1, the computer virusgeneration detection apparatus 3 includes an exceptional portcommunication detection unit 31, an incomplete packet detection unit 32,a traffic measurement unit 33, and an error quantity measurement unit36. Furthermore, the computer virus generation detection apparatus 3includes a computer virus generation decision unit 34 for syntheticallydeciding whether the computer virus is being generated based on theirregular data acquired from the units 31, 32, 33 and 36, and an unusualgeneration notification unit 35 for informing unusual generation of thecomputer virus based on decision result of the unit 34 to the outside.This unusual generation notification unit 35 communicates with a networkstop decision/command unit 9. The network stop decision/command unit 9operates the company Intranet 2, and can cut a connection between thecompany Intranet 2 and the Internet 1 (network stop). In this case, theunusual generation notification unit 35 is not always necessary for thecomputer virus generation detection unit 3. For example, the decisionresult acquired by the computer virus generation detection unit 34 maybe output to a network manager through a display. The above-mentionedcomputer virus generation detection apparatus 3 can be realized assoftware operating on various kinds of computers.

In general, the computer virus is electronic information such as programdata or combination of the program data transferred through a memorymedium or a communication medium, and includes the contents or theformat which a receiving user (addressee) does not usually imagine. Forexample, information that makes the receiving user's computer workunusually from malice may be a computer virus. However, even ifinformation is reluctantly created or used without malice, theinformation often causes an unexpected result. This information may alsocalled “the computer virus”. Furthermore, as for transmission form andmedium of the computer virus, there are no limitations. For example, thecomputer virus may exist in the memory medium, the computer virus may betransferred with an electronic mail sent or a file commonly used, or thecomputer virus may multiply through Internet normally called “Worm”.Briefly, various kinds of the transmission form and the medium areapplied for the computer virus. Furthermore, even if transmittalinformation is normally expected for the receiving user, if theinformation causes an unexpected result by the combination, thetransmission order or the transmission speed, this information may becalled “the computer virus” as a whole.

In the company network, an infection of the computer virus into theIntranet preparing a firewall occurs starting from a human system suchas receiving of the electronic mail including the computer virus oraccess to a company homepage. Accordingly, the infection of the computervirus may be delayed for 1˜10 hours from the generation of the computervirus. Furthermore, the computer virus may infect other computer systemthrough TCP/IP communication.

In the computer virus generation detection apparatus 3 of the presentinvention, it is early decided early whether such computer virus isbeing generated on the Internet 1 while this computer virus is notspecified yet. Briefly, before countermeasure data such as vaccine isprovided with clearance of the kind or the special feature of thecomputer virus, i.e., in a state of unknown computer virus, thegeneration of the unknown computer virus can be detected. In order todetect the computer virus, irregular data representing a possibility ofgeneration of the computer virus are collected. The irregular datarepresents facts, such as TCP/IP communication using an exceptional portnormally unused, the generation of one or more incomplete packets basedon unusual TCP/IP communication, an unusual increase of traffic(communication quantity), and an unusual increase of error quantity.

FIG. 2 is a flow chart showing operation of the computer virusgeneration detection apparatus according to the first embodiment of thepresent invention. First, connection processing between the computervirus generation detection apparatus 3 and the Internet 1 is executed(S1). After connecting to the Internet 1, measurement of the errorquantity (S2), detection of communication using the exceptional port(S3), detection of the incomplete packet (S4) and measurement of traffic(S5) are respectively executed. In FIG. 2, each processing S2˜S5 istypically executed in parallel. However, these processing may beexecuted in arbitrary order. In each processing S2˜S5, the irregulardata representing a possibility of generation of the computer virus arecollected and sent to the computer virus generation decision unit 34.The computer virus generation decision unit 34 synthetically decideswhether an unknown computer virus is being generated by referring to theirregular data collected at steps S2˜S5. This decision processingincludes a processing for comparing the measured error quantity or themeasured traffic with a threshold, a statistical processing, or aheuristic processing.

Next, if it is decided that the computer virus is being generated (S7),the processing is forwarded to step S8. If it is not decided, theprocessing is returned to steps S2˜S5. At step S8, the unusualgeneration notification unit 35 sends an unusual generation noticerepresenting the generation of unknown computer virus to the networkstop decision/command unit 9.

In this place, decision processing (S6) of generation of the computervirus based on the measurement of error quantity (S2) is explained byreferring to FIG. 3 (flow chart) and FIGS. 4˜7. First, the errorquantity measurement unit 36 in the computer virus generation detectionapparatus 3 accesses to the WWW server 5 through the error detectionunit 7 (S11). When the computer virus is being generated, the companyIntranet 2 is not infected with the computer virus. Because mostcomputer viruses are generated from outside (mainly foreign countries)of the company Intranet 2, the computer virus being generated firsttakes aim of the WWW server 5 of which address (for example, “.com”domain) is clearly specified. After that, the computer virus graduallyspreads to another server. When a user accesses using a browser to WWWserver 5 infected by the computer virus, the company Intranet 2 is alsoinfected. From a point of protection against the computer virus, a unitable to early find the generation of the computer virus is the WWWserver 5 first aimed by the computer virus.

The error quantity measurement unit 36 requests an error log from accesslogs stored in the access log memory 8 through the error detection unit7 of the WWW server 5 (S12). Then, the error quantity measurement unit36 analyzes the error log acquired from the error detection unit 7(S13). FIG. 4 shows one example of the access log 40 normally accessed.FIG. 5 shows one example of the access log 50 in the case of occurringerror by a user's miss of inputting “URL”. These access logs 40 and 50represents a sample log in the case that the user accesses to Web pageof URL “http://host/cool/vmware/FAQ.html” by Browser. The contents 41 inFIG. 4 are correct URL. However, when the user erroneously types URL 51in FIG. 5, the WWW server 5 processes the URL 51 as an input error, andthe error log 50 in FIG. 5 is recorded in the access log memory 8. Thiserror log 50 is irrelevant to the computer virus.

On the other hand, FIG. 6 shows one example of the access log in thecase of irregularly accessing to the WWW server 5. For example, in thecase of the computer virus “Nimda” that caused trouble recently, thecomputer virus irregularly accessed the WWW server 5 by aiming at asecurity hole of the WWW server 5 as shown in the access log 60 in FIG.6. Concretely, a URL including very long character strings 61 and 62 inFIG. 6 is sent to the WWW server 5. In the WWW server 5, the characterstrings 62 are piled in a stack as an arbitrary program and executed bymanager authority (root authority). This technique is generally calledan “attack”. The attack is executed by a command input of the user'soperation or executed by a program automatically. The access indicatinga long URL shown in FIG. 6 is decided to be irregular access (S14). Bychecking a length of the character strings of URL, it is easily decided.

FIG. 7 shows another example of the access log in the case ofirregularly accessing to the WWW server 5. In FIG. 7, a character string71 represents activation of “C:536 winnnt¥system32¥cmd.exe” on Windows®operating system in order to execute arbitrary program. This irregularaccess is recorded as the error log 70 in FIG. 7. It is not easilydecided that the error log 70 is “attack”. However, a pattern of theerror log 70 is different from a pattern of the user's type miss.Accordingly, by checking the pattern of the error log, the error log isdecided as an “attack”.

In the case of generating the computer virus, the error shown in FIGS. 6and 7 temporarily increases. Accordingly, the error quantity measurementunit 36 measures the increase of error quantity per unit time. Thismeasurement result is provided for decision processing by the computervirus generation decision unit 34.

In FIG. 3, if the error log is decided to be irregular access (S14),decision processing of generation of the computer virus is executed(S16). However, before executing step S16, an unusual increase of theerror quantity may be decided (S15). Furthermore, without the decisionof an irregular access shown in FIGS. 6 and 7, the unusual increase ofthe error quantity may be decided.

The computer virus generation decision unit 34 receives the irregulardata representing the unusual increase of error quantity measured by theerror quantity measurement unit 36, and decides whether the computervirus is being generated by comparing the irregular data with athreshold. It is desirable that a user interface for the user toarbitrarily set the threshold is prepared. When the computer virusgeneration decision unit 34 decides that the computer virus is beinggenerated, this information is sent to the unusual generationnotification unit 35. The unusual generation notification unit 35establishes a communication with the network stop decision/command unit9, and sends an unusual generation notice representing the generation ofthe computer virus to the network stop decision/command unit 9. Inresponse to the unusual generation notice, the network stopdecision/command unit 9 cuts. (closes) a connection or subconnectionsbetween the Internet 1 and the company Intranet 2 at several cutposition (×) shown in FIG. 8.

As mentioned-above, in the first embodiment, on the Internet 1 outsideof the company Intranet 2 through the firewalls 4 and 6, the generationof the computer virus is detected. When detecting the generation of thecomputer virus, it is sufficiently expected that the company Intranet isnot infected with the computer virus yet. Moreover, in a period untildetail information or countermeasure information related to thiscomputer virus is made clear, the company Intranet 2 is stopped or apart of service such as WWW is stopped if necessary. Especially, in thefirst embodiment, the generation of not only known computer virus butalso unknown computer virus is perfectly detected. This detection isextremely effective for countermeasure of security. As a result, asuitable countermeasure is taken before the damage rapidly enlarges byspreading the infection of the computer virus. In one example, it isoften the case that the computer virus spreads in the daytime of USA. InJapan, the countermeasure based on the present invention can beautomatically taken in the nighttime, i.e., before the employee's goingto office.

In the case of generating an unknown computer virus, it is desirablethat a user finally decides whether the unknown computer virus isdangerous. This can be realized when the computer virus generationdecision unit 34 and the unusual generation notification unit 35 receivean operation of the user (system manager). On the other hand, if thenetwork stop decision/command unit 9 automatically stops the networkwithout the user's decision, it may provide a hindrance for operation ofthe company Intranet 2. However, it may be better than a state that thecompany Intranet exposes itself to the attack of the computer virus.Especially, it is desirable that the company Intranet 2 isunconditionally stopped in the nighttime.

In the first embodiment, the computer virus generation detectionapparatus 3 is located outside the company Intranet 2 through thefirewalls 4 and 6. On the other hand, in the second embodiment of thepresent invention, the computer virus generation detection apparatus 3is located inside of the company Intranet 2. FIG. 9 is a block diagramof a system including the computer virus generation detection apparatus3 according to the second embodiment of the present invention.

In FIG. 9, the internal component of the computer virus generationdetection apparatus 3 is the same as that of the first embodiment shownin FIG. 1. However, in the second embodiment, an object to detect theattack of the computer virus is not the WWW server 5 but a server (notshown in FIG. 9) included in the company Intranet 2. Furthermore, as forthe detection of exceptional port communication, the detection ofincomplete packet and the measurement of traffic, the object to detectthe attack of the computer virus is the company Intranet 2. In thesecond embodiment, countermeasure for damage of the computer virus inthe company can be early executed in the same way of the firstembodiment. Furthermore, when it is decided that the computer virusgenerates outside of the company Intranet 2, a connection (also called asub connection) between the company Intranet 2 and the outside is cut ata position (×) as shown in FIG. 9.

Furthermore, in the second embodiment, a deletion countermeasure unit 80cooperating with the computer virus generation detection apparatus 3 isset. As the countermeasure data to delete the known computer virus, forexample, the deletion countermeasure unit 80 distributes a modificationprogram to treat a pattern file or a security hole to a client machinein the company Intranet 2. This deletion countermeasure unit 80 may beadded to the component of the first embodiment.

In the second embodiment of the present invention, an operational effectthat is the same as the first embodiment can be obtained. Furthermore, aplurality of servers including not only the company server 2 but alsothe outside server (for example, the WWW server 5) may be respectivelythe object to detect the attack. In this case, the ability to detect thecomputer virus can be further raised.

The present invention is not limited to above-mentioned embodiments, andcan be executed as various modifications. For example, detection andcountermeasure of the known computer virus, such as file infection typeor macro infection type, may be used together with operation of thepresent invention. In this case, security countermeasure becomes firmer.

As mentioned-above, in embodiments of the present invention, thegeneration of the computer virus on the network is detected at an earlystage. Accordingly, it prevents the computer network or the computersystem as the object of security protection from becoming infected withthe computer virus and damaging the network or system.

For embodiments of the present invention, the detection processing ofthe generation of computer virus of the present invention can beaccomplished by a computer-executable program, and this program can berealized in a computer-readable memory device.

In embodiments of the present invention, the memory device, such as amagnetic disk, a floppy disk, a hard disk, an optical disk (CD-ROM,CD-R, DVD, and so on), an optical magnetic disk (MD, and so on) can beused to store instructions for causing a processor or a computer toperform the processes described above.

Furthermore, based on an indication of the program installed from thememory device to the computer, OS (operation system) operating on thecomputer, or MW (middle ware software), such as database managementsoftware or network, may execute one part of each processing to realizethe embodiments.

Furthermore, the memory device is not limited to a device independentfrom the computer. By downloading a program transmitted through a LAN orthe Internet, a memory device in which the program is stored isincluded. Furthermore, the memory device is not limited to one. In thecase that the processing of the embodiments is executed by a pluralityof memory devices, a plurality of memory devices may be included in thememory device. The component of the device may be arbitrarily composed.

In embodiments of the present invention, the computer executes eachprocessing stage of the embodiments according to the program stored inthe memory device. The computer may be one apparatus such as a personalcomputer or a system in which a plurality of processing apparatuses areconnected through the network. Furthermore, in embodiments of thepresent invention, the computer is not limited to the personal computer.Those skilled in the art will appreciate that a computer includes aprocessing unit in an information processor, a microcomputer, and so on.In short, the equipment and the apparatus that can execute the functionsin embodiments of the present invention using the program are generallycalled the computer.

Other embodiments of the invention will be apparent to those skilled inthe art from consideration of the specification and practice of theinvention disclosed herein. It is intended that the specification andexamples be considered as exemplary only, with the true scope and spiritof the invention being indicated by the following claims.

1-20. (canceled)
 21. A method for detecting a computer virus in a serverbetween an Internet and a company Intranet, the method comprising:collecting communication data in the server; deciding whether a computervirus exists in the server in accordance with the communication data;notifying the company Intranet of existence of the computer virus whenthe computer virus is detected; and cutting a connection between theInternet and the company Intranet when the computer virus is detected.22. The method according to claim 21, wherein the collecting stepcomprises detecting generation of network communication with a portusually unused as the communication data.
 23. The method according toclaim 21, wherein the collecting step comprises detecting generation ofan incomplete packet in packet communication processing based on apredetermined protocol as the communication data.
 24. The methodaccording to claim 21, wherein the collecting step comprises detectingan unusual increase in traffic on the computer network as thecommunication data.
 25. The method according to claim 21, wherein thecollecting step comprises detecting an increase in a quantity of errorsdue to network access as the communication data.
 26. The methodaccording to claim 21, wherein the collecting step comprises requestingan error log from the server; and analyzing the error log in order todecide whether the server was irregularly accessed.
 27. The methodaccording to claim 26, wherein the collecting step comprises checking acharacter length of a URL included in the error log; and deciding thatthe server was irregularly accessed if the character length of the URLis above a threshold.
 28. The method according to claim 26, wherein thecollecting step comprises checking a pattern of a URL included in theerror log; and deciding that the server was irregularly accessed if thepattern of the URL is different from a user's type pattern.
 29. Themethod according to claim 26, wherein the collecting step comprisesmeasuring an error quantity per unit time; and deciding whether theerror quantity increases based on the measurement result.
 30. The methodaccording to claim 29, wherein if the server was irregularly accessed orthe error quantity increases, the deciding step comprises comparing theerror quantity with a threshold; and deciding whether the computer virusexists in the server.
 31. The method according to claim 21, wherein thecutting step comprises cutting a first sub connection between theInternet and the server.
 32. The method according to claim 21, whereinthe cutting step comprises cutting a second sub connection between theserver and the company Intranet.
 33. The method according to claim 21,further comprising causing deletion of the computer virus in the companyIntranet.